YARA For Everyone: Sharing is Caring

Posted on 2019-06-30 by William MacArthur

Introduction

This is the first post in an ongoing series about YARA and its exceptional ability to carve inside of binaries, documents, photos, and other types of files to uncover and match patterns. The additional posts in the series will give anyone who is thinking about gaining YARA skills the ability to start from scratch and get comfortable with the tool's functionality. Each post will advance in skill level and include some of the personal and professional standards we follow to instill good habits early on in the learning process.

The quickest way to get our hands on keyboard is getting set up (takes 5 minutes if that) and then diving straight into a practical example. This type of approach is best because everyone can get started in just a few minutes and start enjoying the tool. One last thing is we do want to note that having something other then the manual to read (though one of the best resources) is just a different learning method that may work better for some people. Having a bit more experience with the tool can make reading the manual a lot more interesting as you pick up additional ways to utilize the tool that you have not thought about otherwise. Let's get started!

Installing YARA to run on the appropriate operating system

Mac
Install Homebrew from the terminal
- hit “command + spacebar” and type terminal then hit enter
Run the following command
- /usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"
Run the following command to complete the installation of YARA
- brew install yara

Windows

Windows YARA runs on a .EXE file that can be obtained from visiting one the links provided for your windows operating system.
Yara-v3.10.0-904-win32.zip OR Yara-v3.10.0-904-win64.zip
Unzip the file and place it in a location you will remember
- Double click the zip file which will unzip the contents and make a new folder with YARA inside of it.
Open Command Prompt
- Go to “Start” and type in the search cmd and click on Command Prompt
Navigate to the location just created that has yara64.exe in it using the command prompt.
- cd C:\Users\username\Desktop\yara-v3.10.0-904-win64 and hit enter

Linux

There is a lot of flavors of Linux but we will focus on Debian
Prepare your Debian system for Yara by installing the following packages
- sudo apt-get install automake libtool make gcc
Download the source files for YARA
Run the tar command to untar the files so we can use them to compile
- tar -zxf yara-3.10.0.tar.gz
Change into the directory the source files are located at
- cd yara-3.10.0
Run this command to bootstrap
- ./bootstrap.sh
Run the following commands
- ./configure
- make
- sudo make install
Run the following to make sure everything is running smoothly
- Make check
We are almost to the fun part!! First, we need to make sure that we can run YARA without any errors before moving on. To test you simply type yara or yara64.exe and hit enter. If the following message is displayed on the screen after running the YARA command, you have succeeded with the installation!!!!

Next step will be to create a new Directory/Folder to hold the rules we will be creating. To create one can be done on the command line or by right-clicking on the desktop and create a new folder/file.

No matter what operating system YARA is installed on, we suggest that the rules start as there own file until the rule is completed. Once completed copy and paste the rule and append it inside a “master.rules” file. This file will be where all of the finalized rules for YARA will be housed.

Now that the directory and some of the empty rule files have been created we need a rule to test out what we have set up. The YARA rule template below is a good way to start writing your first rule. Go ahead and copy and paste the template into the name_hunter.rule file just created.

rule yara_base_template : template
{
meta:
author = "name of the rule creator"
description = "This is a template used for yara rules"
creation_date = "2019-06-28"
rule_id = 9000000
version = 1
strings:
$text_string_1 = " "
condition:
any of them
}
/*
This is a place for comments
*/

Once the template is pasted into the name_hunter.rule file we can adjust it to match our name inside of files!!! The below example is filled out a bit more and should be saved once it looks like this.

rule my_name_hunter_rule_is_neat : name_hunter
{
meta:
author = "put your name here as you created it"
description = "This rule is for finding my name inside of files using a string match"
creation_date = "2019-06-28"
version = 1
strings:
$name1 = "PutyourNameHere" nocase
condition:
any of them
}
/*
This is the first rule we created and it finds in its current state
Anything that will match PutyourNameHere. We can extend
This and add multiple names by adding more strings like
$name2 = "PutSomeonesNameHere” right under $name1.
The Nocase appended to $name1 means PutyourNameHere is not case sensitive
*/

Next, we will want to make one more file that is not inside of the yara_rules directory/folder and put your name inside of it. The file name can be anything you will remember, so for this use case we used testingfile.txt for testing. Additionally, If you wanted some added fun, copy and paste a lot of random words from an article or another file you may have handy. This will make your name more hidden when we run YARA with the new rule.

The following command is one way how YARA is started in order to carve through files:

The following output is using our rule we just created against the testing file and shows that we have a match!!!

yara -gs /Users/username/Desktop/yara_rules/name_hunter.rule testingfile.txt ← command
my_name_hunter_rule_is_neat [name_hunter] testingfile.txt ← rule that matched and file)
0x12d:$name1: PutyourNameHere ← location, string, matched content)
This was a fast way to get everyone up and running in order to get a practical example of what YARA can do. We hope this was an alternative to reading a manual. The next post will provide additional tips and tricks. Play with YARA and happy hunting.